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METHODS AND APPARATUS FOR COIiLECTING, STORING/ 
PROCBSSXI9Q AND USING NBTWOHK •PRAf'PXC DATA 



FIELD OF -THE INVENTION 

The present invention is directed to the 
collection, storage, processing and vise of data in 
5 computer networks, and more specifically, to. the 

collection, storage; processing and use of data, 
relating to network traffic, 

BACKGROUND OF THE INVENTION 

10 

The use of computer networks, and 
inter- connected groups of computer networks referred as 
^ intranets, continues to be on the increase. The World 
VJide Web (WWW) , sometimes referred to as the Internet, 
15. ' is an example of a global system of inter -connected 

^computer networks used for both business and personal 
pursuits. The increased use of intranets, within 
individual businesses and the increased use of the 
Internet globally is due to the increased number of 
20 • computer networks - in existence and the ea:se with which 
data, e.g., messages and/or other information, can now 
be exchanged between computers located on 
inter- connected. networks. 

25 Figure 1 illustrates an. intranet 10 

implemented using known netv/orking techniques . and three 
local area networks (LANS) 20, 30, 40. The intranet 10 
may be implemented within a business by linking 
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toaether physically remote LANS 20, 30, 40. in the 
intranet 10, each of the first through third LANS 20, 
30, '40 includes a plurality of computers .(21, 22, 23) • 
(31, 32, 33) 141,. 42, 43), respectively. The computers 

5 within each LAN. 2 0, 3 0, 40 are coupled together by a. 

data link, e.g., an Ethernet,.. 26, 36, 46, respectively - 
The first LAN 20 is coupled to the second LAN 30 via a 
first router 18, ' Thus, the. router 18 couples data 
links 26 r 3 6 together. Similarly, the second LAN 3 0' is 

10 ' coupled to the third LAN 30 via a second router 19 
which couples data links 36 and 46 together. 

-As is known in theart, the transferring of 
data in the form of packets can involve processing by 
15 several layers which are implemented in both hardware 

and/or software at different points in a network, A 
different protocol may be used at each level resulting 
in a. protocol hierarchy. 

20 At the bottom of the protocol hierarchy is 

the network layier protocol . One or more application 
layer protocols are located above the network layer 
protocol-' In the present application, when describing- 
a protocol associated with a data packet, the protocol 

25 associated with the. packet will be described in terms .; 

of the protocols a.nd . layers .associated therewith . . 

For. example, the annotation: 
<ne two rk - layer >/<:appli cot ion -layer l>/«./<applicetioii-iay«r N> 



is used to describe the protocol hierarchy of 
the top-level (application-layer W) protocol. As 
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another escanipie, consider a packet which uses the SUMP 
(Simple Network Management Prbtocol) rxinning over UDP 
(User Datagram Protocol), running on an IP (Internet 

Protocol), network- layer protocol. Such a packet would. 

be described herein as an IP/UDP/SNMP packet. 

As networks have grown in size and the volume 
of data being passed over networks has increased, 
system administrators have been faced with the job of 
' planning and maintaining networks of ever increasing 
size and con^lexity. 

Network traffic information can be used vfhen. 
trouble shooting problems on an existing network. • It 
can also be used when controlling routing oh a system 
with alternative routing paths. In addition, 
information on existing or changing network traffic 
trends is usefu'l when decisions on upgrading or 
. expanding service are being made. Thus, information on 
network traffic is useful both when maintaining ah 
existing network and when planning modifications and/or 
additions to a network. Given the usefulness of network 
traffic, infoihmatioh, system adminiscrators. have 
recognized the need for methods and apparatus for 
monitoring network activity, e.g., data traffic.. 

Because intranets often encompass 
geographically remote systems and/or networks, remote 
monitoring of network traffic is . of ten desirable . 

In order to facilitate the monitoring of ^ 
network activity; remote monitoring. (RMON) devices. 
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often called monitors or probes, are sometimes used. 
These devices often serve as agents of a central 
network management station. Often the remote probes 
are stand-alone devices which include internal 
resources, e.g*, data storage and processing resources, 
u^ed to collect, process and forward, e.g. /to the 
network management system, information ' on packets being 
passed over the network segmient being monitored.. In 
other cases, probes are built into devices such as a 
routers and bridges. in such cases, the available data 
processing and storage resources are often shared 
between a device's primary functions and its secondary 
traffic monitoring and reporting functions. In order 
to manage an intranet or other network ..comprising 
15 multiple segments many probes may be used, e.g., one 

per each network segment to be. monitored. 

Network traffic data collected by a probe is 
normally stored internally within the probe until, 
20 e.g., being provided to a network management station. 

The network traffic data . is. usually stored in a table 
sometimes. referred to as a management information base . 
(MIB) . Recently, RM03SI2 MIB standards have been set . by 
the Internet Engineering Task Force (IETF) which 
increase the types of network traffic that can be 
monitored, the number of ways network traffic can be. 
counted, and also the number c>f . data formats which can 
be used for storing collected data. RMON2 tables may 
include a variety of network traffic data including 
information on network, traffic which occurs on layers 3 
through 7 of the .Open Systems Interconnect (OSIJ model. . 
The particular. network traffic information which is ' 
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available from a probe will depend on which data table 
the probe implements and the counting method envployed, 

. Currently, ' four different R3S10N2 matrix, (or 
s conversation) table types are possible: alMatrix, 

alMatrixTopN, nlMatrix, and nlMatrixTopN. 

Complicating matters, alMatrixTopN tables- 
support two countino modes, of operation which affect . 

10 ' the manner in which the counting of packets and bytes 

is performed at the various protocol layers. The first 
of these counting modes will be referred to herein as 
all count mode. In this, mode, each monitored packet 
■ increments the counters for all the protocol layers 
15 used in the packet. For. example, an IP/TCP/HTTP packet 

would increment the packet, and byte counters for the 
IP, TCP and HTTP protocols. The second counting mode 
will be referred to herein as terminal count mode. In 
-■ this mode, each monitored packet increments only the 
20 counter of the -highest-layer" protocol in the packet. 

For example, an IP/TCP/KTTP packet would increment the. 
packet arid byte counters for only the HTTP protocol. 
• Note that the terminal count mode may only be used with 
the . alMatr ixTopN.. table . However , all count mode can be 
25 used with all the .BM0N2 tables discussed above . 

including the alMatrixTopN table. 

Accordingly, probes may now collect and store 
data in tableis corresponding to any ' one of . five . 
30 different >MON2 formats. The. five different HM0N2 . 

table possibilities are identified herein ais . 
alMa'trixTopN (Terminal Count Mode), alMatrixTopN (All. 
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Co-uTifc Mode)/ alMatrix, nlMatrix and nlMatrixTopN 
tables . . 

Numerous distinctions exist between the 
5 various types of tables that may be supported by an 

RkON2 probe • • ' . . 

Network-layer (nl) tables , e . g . , nlMatrix, 
and nlMatrixTopN tables, count only those protocols 

10 : v/hich are deemed to be network-layer protocols, 

Network-layer protocols are the protocols which are 
used to provide the transport- layer services as per the 
well known ISO OSI 7 -layer protocol model, and include, 
for example/ such protocols as IP, IPX, DECNET, NetBEUI 

15 and NetBIOS among others. No child-protocols of the' 

network-layer protocols are counted in network-layer 
tables . 



Application- layer (al) tables, eVg, 
alMatrixTopN (Terminal Coxmt Mode) , alMatrixTopN (All 
Count Mode) , and alMatrix tables, count any protocol 
that is transport layer or above, provided the probe 
knows how to decode the protocol . ' This includes., e. g ,\. 
everything from IP. through to IP/UDP/SNMP, Lotus Notes 
25 traffic, WWW traffic, and so on. Application-layer 

tables provide information on a super-^set of the 
protocols which the network- layer (nl) tables provide, 
by counting child-protocols of the supported 
network-layer protocols. 
30 : ' 



In addition to the different types, pf 
protocol data that will be monitored depending on 
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whether a' network layer (nl.) or application layer (al) 
• table is being supported, the method of counting data •■ 
will vary depending on the supported table type. 

5. - The alMatrix and nlMatrix tables monitor 

conversations which occur in the network, and keep 
count of the total number of bytes and packets seen for 
each conversation for each monitored protocol since the 
probe V7as turned on. If the probe has been reset since 

10 ^ . it was turned on, then the counters store the . number of 
bytes and packets seen since the last time the px-obe / 
was reset These kinds, of counters will be refereed to 
herein as aJbsoIute counters. The entries in alMatrix 
and nlMatrix tables are ordered by address and 

15 protocol. 

The. alMatrixTopl^ and nlMatrixTopN tables also 
monitor all conversations which occur in the network,, 
and also keep coiint of the number of bytes and packets 

20 seen for each conversation. However, there are several 

differences. MatrixTopN tables must be configured by 
the user or by a client program, and are configured to 
have a maximum nximber of entries and a time interval . 
for which the table will be generated. Once configured, 

25 the probe will perform the. following steps until the 

MatrixTopN table is destroyed (either by a request from 
the user, or client program, or by the probe being . 
turned off) : 



.30 



1> Monitor the conversations in the network, 
counting the packets and bytes seen over the 
specified time interval . 
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2. Once fche time interval is reached/ then generate 
a table of the top N conversations seen in the 
network. This table can then be retrieved by the 
user (or client program) , and is held until the 
next table is generated, which then replaces the 
current table * The ordering in a ItotrixTopK 
table may be either by the number of packets 
seen, or by the number of bytes seen. 

3. Go back to step. 1^ 

As MatrixTopN tables monitor the number of 
packets- and bytes seen over the specified time 
interval, with the counters . being effectively reset, each 
time a new table of the top N conversations is 
generated, the. counters generated by MatrixTopN tables 
are . referred to herein as delta counters. 

Because intranets and the networks which 
comprise intranets are frequently implemented and 
modified over a period of time, a plurality of 
different probes, often supporting different data 
traffic table formats, will frequently be encountered 
in the . same network. In some cases, a probe may have 
insufficient processing and data storage resources to 
support all but the least resource intensive data table 
format,, e.g., an nlMatrix table . Accordingly, the 
information 'included iii' traffic data tables of probes 
may vary from probe to probe depending on the 
particular protocols monitored, the individual pr'obeVs 
available resources, and. the MIB. format iinpl amen ted. by 
the individual probes.. . 
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T^e nur^erous variations in data counting , 
method, and monitored protocol layer -^---^ . 
discussed alcove can cause networ)c traffic data 

^ difficult to con5,are, 

collected from proDes u« ^ 

^ ^4««lav in a inanner that can be easily 
5 pro_cess and display m a " 

understood by a human. 

on. solution CO the. problem =£ different a<>t,» 
,1-^/^ -hv different probes in a 
' "".toTe proves, whic. Provide data; in 

,0 network, x= to ^j^^^ „pproach tends to . 

:ro:rtt;:ro.t^ Wves 4ia=in. e,iatin.pro.e. 

^ ^^A/nr- using probes which at lease 
adding new probes, and/ or using p T.^^^-iori 
' • r.v«vide a greater data collection . 

in some locations, provide a g^. 

■•^^A Thus for cost reasons, 

re^re^Urn "-ir:-^^^ ^ p.... ..tion 

- to re.oavin8 problems resulting £ro« a ■ lack o£ ^ 

consistency a»=n5 probe data collection and storage . 

tecbniques . 

V . Wlile the recent addition, of . .»PP=.rt 

.or including: information about child protocols in at 
Last some data tables , greatly increases xhe level of 

. can be collected regarding 

detailed information . that can ce. cox 

„ "tlrk traffic, it .as. lead to increases . in ^» 
storage and processing re<r.ir^.«s . « t^e volume of 
net.«rk and intranet activity continues to .ncreas.^ 

into tbe. Gigabytes/sec range, space re<„.red to store, 
detailed network traffic information for ^rtended - 

30 . periods o. time .an beccm- • . ^'J"' 

- .torage. requirements for a probe n«a.ntaxnrno network 

traffic data can be Bignificant. the . data storage - 
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reQuirements for a management system storing data 
obtained from several probes is many times greater. 

One known technique, for limiting the growth 
5 of a network traffic database is referred to as data 

aging. Data aging involves periodically scanning the 
• stored data and, during the scan, data records that are 
older than certain preselected age limits. are read and : 
^ get combined, e.g., added together, to . create an . ^ 
10 additional set of data records of lower resolution than 

. the records used to create the additional set. The 
records used to create the lower resolution set of data 
records are then deleted from the original database. 
When this technique is used, there are normally 
15 multiple age limits set .up/ resulting, in multiple data 

sets corresponding to different non-- overlapping time . . 
- periods. In such a system, the older the data records 
become, the lower the resolution of those records will 
be. Hence less disk space is required to store records 
20 corresponding to a fixed period of time, the longer in 

the past the fixed period of. time occurred. 

Unfortunately, the 3ai6wn data aging technique 
has several disadvantages/ both. from an implementation 
standpoint and from the standpoint of a human system 
administrator attempting to use the stored network 
traffic information. 



From an implementation standpoint, .the known 
system, has the distinct disadvantage of requiring 
double buffering of the. data while the aging process is 
being performed.. Such doubliB buffering .is required so 
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• . ««iria will Still giv® . 

pro-cess, also has the J^"^ p«cessiM. resources 

si^itic-^ periodic ^"^^^^J^.^, other 

can ^ a ^gement station, 

' r^rr a^r oU^on .s .ein, per.or.e.. 

^. .no^n aata ' ^ 

„ltiple, non-overlappihS^aa", ^ ^^^p^,i,^,. 
, .esol.-tione correapond.n. to ^^^^^^^^ „ 

„c» a ^"■'^'"T' -tu to detect, e.g.. net«ork 

reviev, and coroare data _ ^ ^^^^ correspond to 
: traffic pr=blen«- since the da 
different time periods.. 

.ie« of the ahove discussion, it l>eco^= 
m view o . 

apparent that there i ^^;^i,„ing and handling 
methods ana apparatus for col 
„.tworX traffic data from prohes. 

. ,.r there is a need for Tnethods of 

" " rtrafiic data that »ini»dze the, . 
enacting ^'^.^'^ and data tables which 

nu^er. of dif fer-t ^^^^^^ U. a need for .. 

^st be processed. In ^ j,„cessing data received 
new methods and apparatus. ^ a^^j^ase of network 

in differing, ^o^™;" "^^"^y accessed by. other 
- tralf ic dat. which can e«il^ .^ ^^ ^^^^^^^^^^^ 

applications and/or presented 
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. -meeting, processing. 
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and storina network traffic data be con^at.ble wxth^^ 
existing probe data fox:.«ts. X. .is • alao dee.rable that 
the new methods and apparatus be capable of be.ng used^ - 
with, or adapted to being used with, probe data forxoats. 
5 that loay be supported, in the. future. 

in particular, it is desirable that that at , . 
• least some . new methods and apparat^.s be capable of 
..,orking with network traffic data in a plurality of 
0 . table and count formats including various RM0N2 tables . 
xt is also desirable that any such method and/or 
apparatus not require a specific one of the 
tables to be used by a probe which would result in a . . 
; constraint on probe selection and probe resource 

15 requirements. 

in view of the above, it is apparent that 
^ there remains considerable room for improvement in how 
network traffic data is collected, stored, processed 
and presented to. network, adioinistrators and other, 
individuals responsible, for the design., r^intenance and 
upgrading of networks and intranets. 

SUMMARY OF -TOE g^SEN ^ INVENT JON 

The present invention is directed to methods 
and apparatus for collecting, storing, processing . and 
using data. e.g.. network traffic data, in contputer 
networks . 

several embodiments of the. present invention 
are directed to. dealing with, the difficulties ; - 
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aesociated with collecting and processing network 
traffic data. As dipcussed above, one of the major 
problems encountered! with collecting and processing 
network traffic data! is the nunierous different counting 
techniques and data table storage formats that may be 
used by various probfes in the same system. 



. In order to provide a high degree of detailed 
information for subs.bquent applications, atteittpts are 
made by the method of the present invention to collect 
application layer tr?af fic data as well as network layer 
traffic data. • . 

TO reduce broblems due to different counting 
techniques and data ; table fo«nats, the present^ 
invention processes icollected network traffic data as 
- required, to place it into a common data, format. The 
common data format is selected to provide a maximum ■ 
degree Of information in a for^t that is easy to use, 

generation and graphing, application; 

From a us^r . stanc^oint, ,it was determined ■ 
that, xn at . least one embodiment of the- invention, it 
was desirable that the common data format include delta 
count values as. opposed to absolute count values and 
that application layer information be presented in 
terminal count modei as opposed to all count mode • 



in order, to reduce the amount of processing 
-^^red^to put the: data in the desired con^on format, 
and the temporary. data storage requirements ass6ciated 
With such processing, the system of the present 
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invention controls network traffic data probes to 
provide data in a foirmat that is as close to . the 
desired format as poksible, given an individual probe's 
capabilities. 

One specific embodiinent of the present. 
' invention is directed to the use of KM0N2 prcbes- and- 

KM0N2 data tables. 

/'•.*- 

In one such einbodiment, to minimize the 
amount, of data processing required to put a probe's 
network traffic data; . into " the common format used by a 
management system of. the present invention, and to 
maximize the amount .of information collected, network 
15 data is obtained f rbm a probe using one of the 

' available RMON2 table formats. In accordance with the. 
present invention the RM0N2 format is .selected in the.: 
following order of preference: alMatrixTopN (Terminal 
Mode) , alMatrixTopN.(AllMode) , alMatrix, nlMatrixTopN 
20 . and nlMatrix. 

RM0N2 alMatrixTopN (Terminal Mode) data tables 
satisfy the format .requirements used . in the present- 
invention and therefore do not require conversion 

25 operation to be performed. .In addition RM0N2 

alMatrixTopN. (Terminal Mode) data tables include both' 
application layer and network layer data. For these 
reasons, the RMON2 alllatrixTopN (Terminal Mode) data 
table is the most preferred of the RM0N2 tables in the 

30 above discussed embodiment. 
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Once network traffic data is collected and 
placed in a common format, it is ready for use in. 
generating displays and/or network traffic databases. 

In one particular embodiment of the present 
invention, the network traffic data,- in the common data 
format, is stored in a network traffic database to 
allow for future analysis such as baselining and 
.troubleshooting. 

known database aging process is avoided' 
by the system of the present,. by creating and 
maintaining a database that includes multiple parallel 
sets of network traffic data at different resolutions. 
In accordance with the database generation and 
maintenance routine of the present invention, a data 
set for each different resolution is stored in a- 
_first-in.- first-out (FIFO) data structure. The oldest 
records in the FIFO data structure are overwritten when . 
there is no longer any unused storage space available 
for storing the records of the resolution to which the 
data structure corresponds. 

Because the network traffic database of the . 
present invention is hot aged, the periodic processor 
loading associated with aging of databases is avoided. 
In addition, . the need to double buffer the database 
data during an aging process is eliminated since no . . 
aging, is performed . .. 

The parallel database routines of the present 
invention also have the advantage of being well suited 
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to a multiprocessor environment since each data set can- 
be maintained and updated independently. 

In the databases of the present invention, 
the database records at the different resolutions 
overlap covering the same time period. This makes it 
relatively, easy for a. system administrator to review 

■ database records corresponding to the same time, period 
at different resolutions. This can facilitate a system 

' administrator's atten«)ts to idenrify network traffic 
problems and / or cr ends without the need to perform 
coinplicated processing when comparing or switching 
betv/een data at .different resolutions. 

In addition to. the above described features, 
many other features, and embodiments of the present 
invention are described in detail below. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a block diagram of a known 
intranet- arrangement . 

Figure 2. is a block diagrain of an intranet 
including a. management system implemented in accordance 
with one embodiment of the present invention. 



Figure 3 is a diagram of a protocol hierarchy 
used in various .examples discussed herein. 
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Figure 4A is a flow. chart of a management 
system initialization routine in^lemented in. accordance 
with the present, invention. 

Figure 4B is an exemplary probe 
information/data table createjS by executing the 
initialization routine illustrated in Fig. 4A. 

Figure 5. is a diagram showing the processing 
' of network conversation data in accordance with one 
exemplary eiDbodiment of the present invention. 



Figure 6A illustrates a method of collecting 
network traffic data from probes and converting the 
15 . collected data into a common data format . 

_ Figiare 6B illustrates the conversion of 

various Rla6N2. data tables into the common data format 
.. r. used in accordance with various embodiments of the 
20 present invention - 

Figure 7 is a block diagram illustrating the 
generation of a network traffic database including • 
parallel sets of data of differing resolutions. 



Figure 8 is a flow chart . illustrating a 
method of. the present invention for generating a 
network traffic database including parallel sets of 
network traffic stored at different resolutions. .' 
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Figure 9 illustrates a network traffic 
. database including parallel data sets having an hourly 
and 6-hourly resolution* 

5 Figure 10 is a flow chart illustrating a 

network, traffic database including parallel sets of 
network traffic inforiftation stored at different 
resolutions - 

10 / DETAILED- DESCRIPTION 

As discussed above, the present invention 
relates to methods and apparatus which can be used 
collect, store,- and jprocess data, e.g., data regarding 
15 traffic in a computer network or intranet. It is also 

directed to methods of presenting network, traffic data 
in. a format that can be easily understood by a person^ 
e.g., an individual responsible for managing the 
computer network or networks being monitored. 

20 

Referring now. to Fig. 2, there is illustrated 
an intraiiet 200 implemented in accordance, with one 
embodiment of . the present invention. Various elements 
of the intranet 200 which are the same as, or similar . 
25 to, the known intranet 10, are identified using the 

same reference numerals used in . Fig. 1. 

As illustrated, the intranet 200. comprises 
first through third LANS 120, 130, 140 each of which 
30 includes a plurality of computers (21, 22, 23) <31,. -32> 

33) (.41, 42, 43) , respectively* The computers within 
each IjAN 120, 130, 140 are coupled together by a data . 
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link, e.g.. an Ethernet. 26. . 36, 46, respectively. The 
first LAN 120 is coupled to the second LAN .130 via a 
first router 17 which couples data linJcis 26; 36 
together • The first LAN 120 is also coupled to the 
third LAN 140 via a second router 18- 

The second LAN 130 is coupled to the third 
LAN 130 via a third router 19 which couples data 
links 3 5 and 46 together. 



Data links 26, 36 and 46 are network segments, 
within the intranet 200, In order to obtain 
information on each of the network segments 26, 36, 46 
probes 127. 137, 147 aire included in each of the first 

15 through third LANs, respectively. Each probe is 

- coupled to the data link, e.g.. Ethernet, which is 
included in the LAN in which the probe resides* . 
*^ Because the. first probe 127 is coupled to the first 

Ethernet* 2 6 it. can collect information about traffic on 

20 the network segment 26 . Similarly/ the second and 

third probes 137. 147 are able to collect information 
about traffic oh. the netvjork segments 36. 46. to which 
they are coupled, respectively. . In accordance with one 
embodiment of the present invention, the probes 127. 

25 137/ 147 collect and store . network traffic data in one 

or more RM0N2 tables (MIBs) . 

The probes. 127. 137, 147 may include memory, 
a processor/ an .1/0 interface device and a mass storage 
30 device, such as a disk drive.. In one embodiment, 

probes 127 y 137. .147 are implemented using known 
network traffic data probes.. / 



• In accordance with th.e present invention, . 
each of the probes 127, 137, 147 is coupled to a 
management station 150 which also forms part of the • 
Intranet . 2 00-. The management station 150 includes a • . 
display device 152, one or more central processing 
: units {CPUs) 154, 155^ a keyboard 156, a mass storage 
device 158 for storing, e.g./ a data base, and 
^ittemory 162 which are coupled together by a bus 163. 
The mass storage device 158 may be, e.g., a disk drive 
or array of drives, in the embodiment illustrated in 
Fig. 2,. two CPUs 154, .155 capable of operating in 
parallel are shown. However, in many embodiments, . a 
single CPU 154 is used on a time shared basis, e.g., to 
perform database generation and maintenance operations. 

The bus 163 couples the discussed management 
station components, to an input/output .(I/O) 
interface 160 used to .connect the; management station . 
and its components to the first through third 
probes 127, 137, 147. The I/O interface 160 is 
responsible, for inter.facing between, the various devices 
coupled thereto. 

One or both of the management station's 
CPUs/ 154, 155 can be used to control the operation of 
the management station iSO as . a - function of various 
routines stored >n the memory 162. The use of one or 
both of the CPUs, in controlling the operation of the 
management station 150, depends on the implemented - 
operating system. For exemplary purposes it will be 
assumed that only CPU. 154 is usied to control operation 
of the management station 150. 
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Tlie routines, stored in t-he- memoxy 162, 
includo initialization routines - 171;,- data collection 
and conversion routines 164/ parallel data set' 
generation routines 166, and procesBing / filtering / 
display routine© 168. .The various 'routines tnay be 
iiapiemented as coittputer programs. :Xn addition to. the 
^ routines 171, 164, 166.. 168, the memory- 169 may include 
probe information and data tables received from the 
probes 127, 137 and 147.. 



The meinory 162 may also include a buffer 173 
for temporarily storing. data tables converted to the 
common format of the ; present invention , . The collected 
probe data stored in the buffer 173 is processed by the 
is CPU 154 under control of routines ;i64, 166; 168 and 

stored in a network. traffic information database 
located on the storage device 158 as will be discussed 
below. 

2-0 The keyboard 156 can be Jused for inputting 

G[ueriee. regarding network . traffic 'information, . Charts 
and statistics regarding network traffic information ' 
are generated by. the CPU 154 in re;sponse to such 
queries using . the . data included . in the network traffic. 

25 database. The charts and statistics are displayed on. 

the display device 152 and/or printed on a printer 170 
coupled to the management station .^a50 . 

Figure 3 illustrates an;;exemplary protocol 
30 . hierarchy in the form of a tree 3dl which may be . 

retrieved from one of the probes .127, 137, 147 for a 
^ monitored conversation between two devices included in . 
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the intranet 200. The hierarchy illustrated in Fig. 3 
will be used in the discussion which follows to 
illustrate various points , Note that, while a. 
probe 127., 137, 147 may support many thousands of 

5 protocols, only those protocols which have been seen 

f oi!^ a particular conversation will::be stored in the 
data table or tables supported by the probe and thus 
will be the only protocols . which may be retrieved by 
the management station 150 f rom th^ probe for that 

10 ^ conversation. 

In the Fig. 3, diagraiu> -the protocols shown . 
are- IP (Internet. Protocol) , ODP (User Datagram . 
' Protocol) , SI3MP (Simple Network Management Protocol) , 
15 TOP (Transmission Control ProbocolO , B^orp (File Transfer 

Protocol) and HTTP ( Hyper -Text Trains fer Protocol - also 
- sometimes referred to as. I'JWW (Worid Wide Web) traffic) • 

The tree 100 has been dtyided into two 
20 halves: the network-layer pro'tocol; 303 and the 

application- layer protocols 305. -Ihis division will be 
. used in later exait^les. , . 

The conversation for which the tree has. been 
25 - generated is a conversation between two devices e;. g. ; 
computers A and B 21, 22, using the IP network-layer 
protocol . 

The IP/UDP protocol is. .Shown in a dotted box 
.30 - this , is to represent that/, whil.i^ the XP/UOP/S2>aMP . 

packets were monitored by the" probe 127, -the probe 127 
had the IP/UDP' protocol turned off. This -is* a. feature. 
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of (the ability to ^urn ' of ke monitoring of . 

Protocols.) , axid means that any purk; IP/UDP packets 
would. not be counted. Thus, a count of any pura ZP/UDP 
packets on the network segment 26 Would not be supplied 
by the probe to the^ management station 150 on retrieval 
ot the network traffic data from the probe 127 •. • ' 
However, child prot^^cola . of iP/UDP^.^Csuch as 
XP/^P/SM^) would continue to.be Counted and supplied 
to the manasrement: station 150 f rom jthe probe. 127. 

AS I^^/UDE^.is hot being monitored by the 
probe w. can desc^be this " tree u^ing the following .. ^ 



format : 

15 '.^P ■ 

IP/UDP/SNMP 
IP/TCP 
. IP/TCP/FTP 
IP/TCP /HTTP, 

20 



vari.^ ^^^"^^^^ "^V^^^^^ 

variety Of probes i2,^. 137, 147, with differing 

capabilities, and diff^i.^ netv,orl^|data table formats, 
in accordance With: the present invgnticn/ the 
^nagement. station|l50 collects ah^ processes network 
traffic data from ^he probes 127. ^13 7. 147 . included- i„ 
., the network. m . o^^er to .simplify^ subs e^ent da 
processing operatidhs, the network^' traffic data- 
. received from, the p.robes is procei^ed to place it in a 
30 .--.-ent format that, can be uSe^; to support emeries,.- 
storage, and displaying of networks traffic data in a 
format that is .easy process and t^derst and. By • • 
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converting network .traffic data into a consistent 
format at an early >tage, processing coinponents and 
module's, e.g., the i>arallel data" sfet generation 
routines 165 and processing/filtering/display 
5 routines 158, can b4 isolated from; the complexities. 

associated with varying network traffic data formats 
encountered from prpbie to probe . 

■ The inventors of the present application * 

10 ^ recognized that, for most purposes', what is of interest 
is the network trafiic during a spiecific time interval 
and not the total ainouiit. of traffic monitored from the 
time a probe is. turhed on. Accordingly^ in determining, 
the common format iii to which network . traffic data • 

15 . should be placed, it was decided that a delta counting, . 
as opposed to absolute counting, technique should, be 
used. In addition, ^Vit was decided that,, for maximum 
flexibility, it v/asy useful to obtain as much detail 
about network traffic as possible.^ Accordingly, it was 

20 decided that the common data format should include 

application layer protocol information when available. 
In addition, it wag.\decided that it was more useful; to 
have the data represented in terminal count mode, as. 
opposed to all courit mode. 

25 - . • J; ■ • . • . 

Unfortunately, the ohly;RM0N2 table which' 
satisfies . the' above' discussed criterion selected* for a 
. common data, format {is the alMatrixTopN (teannihal. count 
mode) table. • Becaxi'se .nlMatrix and hlMatrixTppN tablies 

30 only include netwoark layer traffi<p data, these two 

. tables are considej^Jed the least useful and are not . used 
"Unless, the probe from which the data is being- obtained; ' 
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does not support one of the three possible, application 
layer tables. \ 

To minimize . the eonount of data processing 
5 reciuired to put a probe's network traffic data -into the 

cownon format used, by the management system 150/ . 

network data is obtained from a p^rbbe ueing one of the 

available table forrtiats with the format utilized being 

selected in the following- order of preference; 
10 / alHatrixTopN{ Terminal Mode) / alMatrixTopN (AllMode) , 

alMatrix,- nlMatrixTopN and nlMatrix. 

As discusiSed above, an a iMatrixTopN (Terminal . 
..Mode) table has the r.advantage of requiring no format 
15 conversion operations. .■ . 

The alMatirixTopN{AllMode) table requires a 
single conversion operation, i^e.v an. all count mode' to . ' 
_ terminal count mode; conversion operation, to place it 
• 20 in the common format. Unlike abs6l\a,te count to delta 

count conversion operations, as will be discussed - 
below, terminal courit: conversion . operations can be 
performed without the .need to useithe previously 

.received data table> -Accordingiy • 
25 alMatrixTopN(AllMode} ; tables can be . converted to the 

...common format with a minimum of processing and memory 
requirements. 

The alMatrix table is .l^ss desirable than the 
30 other application layer tables because it requires tWo 

conversion operations to place it - in the comimon format .. 
Furthermore, one of: the conyfersion operations requires 
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buffering of a retrieved data table for the duration of 
the- data measurement . interval thereby requiring more 
memory than is required to put the- alHatrixTopN table . 
in the common data' format. 

5 . - • • ' - ■ ;* ^ • 

Identification of the prbbes which are 

■ Qoupled to the irianagemenc system 150, the data tables . . 
they support, and . the selection .of the data table to be 
used with each probe ' occur during execution, . by 

10 CPU 154, of a management station iiiitiali ration 

routine 300. The routine 300. is one of the 
initiali2at.ion routines Included in memory segment 171, 

Opex*ation of the management station 15 0 of 
15 the present invention will now be ^iscussed with regard 

to the initialization routine 300 ^hown. in Fig. 4A- 
-The initialization routine 300 is performed by the 
management station, . e.g. , when thej station is powered 

■ up or reset. The initialization rputine 3 00 begins in 
20 step 302 wherein the initialization routines 171 is 

executed by the. CPU 154. .. . i= 

In step 3 04/„ the management system 150 
detects the probes 127., 137 , . 147 which are coupled to 
25 the system 150. The detection of :the. probes may be • 

done, as known in the art, by transmitting a signal 
. . cjuerying for a response from probes, which are present.. 

once a probe is. detected., the initialization 
30 routine determines the; network traffic table . format . 

.. that is tq.be used with 'the detected probe and stores- 
that information in memory for" future use, e.g. ^. .in 
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detexmiriing whac if any format conversions need to be 
performed on data obtained from the probe. 



For each detected pfobe X21 , 137, 147 the 
initialization process proceeds thirough steps 306 
thr6iigh 322. The path taken through these steps 



determines which table format; will 
identified probe. 



be used with the 



10 ^ In step 306 a detierinination is made as to, 

whether or not the probe being initialized supports, 
application layer tables, i.e', ^ if; thej probe has 
alMatrix capability • .;In one ^embodiment, alMatrix • 
support is determined by querying a probeCapabilities 

15 object supported by the detected probe and monitoring 

the probe's response. 



20 



25 



30 



If. in step 306 it is determined that the ■ 
probe includes alMatrix support, operation proceeds to 
step 30.8. In step 308, the .manageinent station 150 
signals the probe to create an alMatrixTopN table using, 
terminal mode counting. if, in step 310, it is 
determined, e.g. , by receipt ;Of a Jsignal f rom the . 
probe^ that creation of the desired alMatrixTopN table 
was successful, operation proceeds to step 312.. In 
step 312/ probe information in memory is updated, to 
include an entry on the probe, beiiig initialized and to 
indicate that the probe's data is *in 

alMatrixTopN (Terminal Count Mode) ■;^f ormat . With the ... 
successful updating o^ memory in 4tep 312 to. reflect 
the presence- ajid data table format , of - the detected; 
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probe. which was just initialized, operation proceeds to 
■step 322. . j • . 

If, in step 310 it was determined that 
5 terxain'al alMatrixTopN -table creatipri was unsuccessful, 

operation proceeds to :step 314 instead of 312* In 
step 314 the management system 150 i signals the probe . . 
being. initialized to create ah alMatrixTopN table using" 
all count mode (as opposed . to- terminal count mode) 
10 ■ > counting., ■ ■ . 

If / in step;316y itl is determined that all 
count Mode alMatrixTop^J table creation- was successful, ' 
e.g., by monitoring for a signal farom the probe being 

15 initialized," operation proceeds toi step 318. ' In 

step 318,- probe information in. memory is updated to - . 
include an entry on the probe being : initialized arid to 
indicate that the. probe ' s data is iih . alMatrixTopN (.all .• 
, .mode, counting) format^.. With ithe successful updating . of 

20 memory in step 318 to; reflect: the jpresence and data 

table format of the detected probe; which was .just 
initialized, pperatibri pro.ceeds to;. step. 322 . 

If, in step:; 316, iti is determined • that all.- 
25 ; . Mode alMatrixTppN table creation .was. unsuccessful 

operation proceeds to:,step .320... In = step 320, probe 
information in memoryi is updated' to; include an entry on 
the probe being initikiized and to', indicate that the -, 
probe's data is. in alMatrix format. : • With the ; 
30 successful updating of memory in step 320 to; reflect . 

the presence and data;; table format of the detected 
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probe whicK was just initialized, operation proceeds to 
step 322 , 

If in step; 306/ it is determined that the 
5 probe being initiali-zed does hot su^)port alMatrix 

tables, a network layer tabled must; be selected for use- 
In such a case, operation prcweeds-Ifrom step 306 to 
step 324 wherein the inanagement station 150 signals the 
probe being initializei'd to create kn nlMatrixTopN 
10 ' table. 

In step 326 r a determination is made as to 
whether or not creation of ' the nlMatrixTopN table was ■ 
, successful-. 

15 ' " ■ ' ' : :' ^ • 

If, in step;:326, it is. determined that 
. nlMatrixTopN table creation Was sub^essful/ e.g., by 
• monitoring for a signal from Jthe prbhe being 
^initialized^ operation proceeds to: step 328 • in. 
20 step 328, probe information in mernpiry is updated to 

include an entry .on ; the. probe beihg^; initialized and to 
indicate that the proi^e's ^data is kh nlMatrixTopN ^ ■ 
format. With the successful iupdatihg of meii^ry in : 
step 328 to reflect the presence^a data table format 
25 ■ of ' the detected probef: which was. jiist initialized,- 
operation proceeds to- 'step -322 . • / 

.If , . in step:..-326, it is determined that . all ■ 
Mode nlMatrixTopN table creation Wa$ unsuccessful, - 
30 operation proceeds to;, step 33 0 . inl etep 330, probe . 

information in memory*: is updated to; include an entry on 
the probe being- initialized and ..td/. indica the . ^ 
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probe's data - is in nlKtatrix formatV With the 
successful, updating pf memory in stet> 330 to reflect 
the presence and datk ;tat>le f ormat 5of the detected 
probe which was just initialized, operation proceeds to 
step 322 . h \ . ■ ' 

In step 32f2"^;.a determinatibn- is made as to 
whether any probes detected in step. 3 04 remain 
uninitialized. If there is • another: iprobe to be . • 
initialized, operatioti proceeds onqe again to step 306 
wherein •initiali2ati<)n of- the; next '^probe begins.' 



•If , in stej)i-322 it is deiiermined that no 
.. probes remain to be initial i.2;ed-, operation proceeds to 
15 Step 332 wherein . the initializatioii:)routine is stopped 

pending its restart upon the next power up or resetting 
of the management station 150. 



An exemplai-ry probe in forthkt ion /data table 169 
created in memory 15:0.^'' via execution-. of the 
initialization routine is illustrated ih Fig.. .4B, Each 
detected probe 127, j'la?, 147 is id^feiitified in the. ' 
table 169 as ' well as the format of^ the data tjable which 
is to be obtained . fjTbiin the identif i.^d probe when 
25 collecting network traffic data. rJote that the 

table 169 includes: te^orary data table storage space 
used for storing data{ tables used part of the format 
conversion operations tdiscussed below. Note also that 
retrieved. alMatrixTqpN- tables- and ^nlMatrixTopxa tables 
.need not* be "stored fo^:'. use iri subsequent table -f62:mat 
conversion operatipiisi since these : tables, are retrieved 
from the probe im^ the:; desired -deltk'- coiint format.- 
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Once . the maiiagement ; system 150 is 
■initialized, collect^^n. Proc^.Bing-^nd' storage of ' • ' : ' 
network data commences;. Figure 5 illustrates the 
collection, processiiag, storage and^^^i splay of network 
traffic data in accordance with an?|exen^lary embodiment 
of the present, invention. 

Pis. 5:jthe groups of networks 120. 130; 
140, from which neti^^^k traf f ic . dafi^ is collected, 'are 
, generally represent ed|as a group b|^::ithe block 502. The 
probes 127, 137, 147;;Which mohitprv^^ach network, or 
network 'segment servje^as the sourc^|of network traffic 
data. which is suppli^ed to the. management station 150. 
Network traffic data^ jin the form .|| a data table, is 
15 supplied to the rnan^g4ment stationi|^rorn each probe, 1^ 

137, 147 periodicaia^siii response requests from the 
management, station .]J56, for . the information. The 
-arrows, leading from the probes ^2%,. 137, 147 to the 
data collection and 'conversion step:;504 of the 
management station a|50, represent the passing of the 
requested network ticiaffic data to ...the management 
station'lSO . 



Within the;::^anageme;nt st^feion 150, there are 
several processing ^^ibcks- 504;. S-Ost^if 515 which are used- 
to represent the vwious processing:; operations 
performed by the management station/: 150. in addition, . 
there are several b^q|:ks, e.g.,- blocks 506, 510 and 152 
which are used to illustrate -the .ili:^ut and output' data 
associated with the ^vi^rio^as processing operations. • 



28-05-9B 15:35 . +44 1 14 2BB 0931 P 41 R-507 Job-741 

FROM : ROBERT B. FRANKS PHONE NO. : +44 114 268 0931 May. 28 1998 03:55Pri P4a 



10 



15 



20 



30 



The data ppl>lection and dbnversion step 504 
represents data colp.^ction and f orniatting operatdons 
which are implernenteja fusing computer; software, in the 
form of the data colill^ction . and coiiArersion 
routines 164, to conta^ol the CPU 1^4. 

In accordi^riqe with the ptoceesing performed 
in the data collectiiiii; and Gohversi'bh module 504, 
network traffic datkj^is collected va€ periodic" intervals 
/ from each of the de'tz^ited probes aSd converted, in 
.accordance with the.^:^>i^esent . inventi;^^ into the 
preselected coirmon ^birmat discussed : above . The 
processing perf onneji^:l^y the • modal eij5 04 will be 
. discussed in greater:v4€tail with r^^ard to Fig; 6. 



The outpuy-;-6f the cfeta cipllecrion and 
.formatting step 504^}i;s a set pf.ne^i^work traffic 
data 506, which inclliSfs data :f rom :<rarious probes that 
has been converted Ji^to the. common^^data . format of the 
present invention* Ipiie network traffic data 506 
represents data f ronV:^ltiple prob^^ collected during 
one periodic data c^ljection operation involving the 
collection of data if rbm probes 127|;;Vi37, 147.. The set 
of network traffic Hai^a 506. serves^ti^s . the input to a 
25 network traffic dat^i^^et generatioh^^and .mainteriance 

module 508. As wi3|£;;be discUssed ^|:h ' d^ below, the 

data set geheratioit^a^id maintenanczfe^^^ 508 is 

responsible for gen^ieating multipl^::. parallel sets' of 
. data which overlap |int;time but dif^fer -in' terms of the . 
■resolution at whic^|tiie network' traffic data is stored 
in each data set,, j^?h^ group ;of data sets generated by 
the module 508 repijfs^t a networkj^Jiraf f ic database 510 
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collection cycles * 



extending in time o^i^r? muitiple p^iroiodxc data 

The data ;het^6rk traf f ic database 510 can 
5 be accessed, e.g., jresptense to :c[ueries, processed^ 

filtered and displa^^dL: and/or printed. Data . 
. processing, f ilteri^^ ]knd|di splay ..generation step 515 , 
•which may be implemi^ht^ed by . executing the routines 168 
. on the CPU 154, is j^4Pon$iible for^rt>er forming such 
10 ^ operations.. .The oullb^t of step 515-vraay take several 

forms including tha^ a^printed document or a figure 
on the disp^lay devi^ ifl525 ■■ 

In the Fi^. ||5 eftibodiment^^^ a circle and lines 
15 display of network; .fea^fic generated in accordance 

with the present ih^entiofi, . is shdvna on the * 
display 152. In onip eMchiii- embodiment, circles are used 
"to represent, computejr ^net^rorks or i-gfoups of computer 
networks. . Points w|itKin k " circle =:ajr^ used to' represent 
20 devices located witi|iri thife cbrrputer':^ network represented 

by the surrounding '^iDticlej^. . Lines -^fe points, are 

used to indicated d^!t^cted conversations/ while .the 
thicJcness of sl linef^is us'^d to indlicate the amount, of- 
data transferred diij^irig tiie .monitored convex-sation , 
25 Note that in. the Fi^. ;^5 eihbbdiment^ the outer circle on 

the display 15.2 repiiesent^ the grbii^p of networks 
illustrated in Pig.:^|2 l^whijle each of y the inner circles ' 
represents, one of t|^efi computer networks 120, 130, -140. 

. • . ■ 'J^ ■■ • ' * ' . ' ' 

. Fig- 6A i||lUstrates a method 600 

corresponding, in 6^e{:iexexr5plary . ei^^ of the 

.invention, to the d|td-cc^lection;-^^ * • • 
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step 504. The routd^q^ 600 is executed periodically^ 
e.g., every 30 minutl^^i by ibe CPU^lS-a. As 
illustrated, the dat^ vcollection an<3. conversion 
routine 600 starts ^ f^^ep 602'. ..Didring this step,., the 
routine 600 is obtaii^i^S frdrh memory- by the CPU 154 and 
executed. ^ 



Prom step |6d!2 operation proceeds to step 604 
wherein the stored ilfif prmatiori, in<?^l\ided in. table 169 
/about the probes pr^^fe^ht in: the ne|work and the network 
traffic data tsJsle ' fibi^at - to be us^.d with each probe, 
is accessed, . Thus/ ^He data collection and conversion 
routine 60O obtains pajpm memory a ";l:ist of probfes that 
, were detected during? the previously discussed 
initialization proc^s^ and. informant;! on on the data 
table which the prol^^ (|.s. to' supply|to" the data 
collection routine. If? 

: ■ ■ 11 : . * 

steps 606 lithrough: 614 arfe used to collect and 
process network tr a f-^ic data, corresponding . to each 
individual probe th^ ^as; detectedj^^during the 
initialization .procJ^S'. • /^i^ • 

In .routing.) 6pO, opera tidn proceeds from ., 
step .604 to. step 60^!/ pn step - 6.06 :|:he processor 154 
requests that the pajibbe, from whicl^ data is to be ' 
collected, supply tHfe .^network traf^f ic data ..to the 

processor using the &able- format Which was associated 

. • M > - - ' . - - 

With the probe in . thfe Vprobe! information /data table 169 . 



' In step' .6C|}B/i-" the ?requestji^d n traffic 
data table- is •recei^|Bc^ from^.the pt^be- The: processing. 
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performed on the red^ihred 
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network traffic data table to 



place it into the cc|imon data forrr^t used in accordance 
with the present in^^ntion depehds$5n the type of data 
table received. i. ■ i-il 



11. 



- If in. stei|^8 an alMatrEcTopN (Terminal Count 

Mode) table is rece^^a, -.no f ormatlbonversion 
; operations are requ:ir^. Accordirilly, when an • 
alMatrixTopNtTermin^ ?Count,Mode) :mble is received 
operation proceeds ^diri step 608 directly to step 614 
wherein the receive^ data : table; deluding time stamps 
indicating the time ^t^: which the riftwork traffic 

occurred, is stored irt a buff er. ItI' included in 
memory 162. ■ 



If in Bte| 6:08 an -^iMatr^cTopNCAllCount Mode> 
table is received, ff. data needs go be converted to 
-terminal, count mode |:p. place it iigithe : common format 
before storage in tl^jbuf f er. in.fuch a case, .. 
operation proceeds '^rdta step 608- el step 610 . In 
step 610 AllCount data jis .coii^rbed to terminal 

mode count data. O^^- the ccnvers|on to terminal count 
mode data is cbmple^4 the resulting data table is 
stored in the buff ej- i;73 . 

'.• ■ '■■ IT'- ^ ■ '■ ' § ■ ■ ■ .■ ■ ■ 

If in ste| -f 08 an alltetjix table is received, 
the absolute count ^tia included therein needs to be 
converted to delta Ib^nt data and.ill.mode count data ■ 
needs to be convert|aifco terminal ^lount mode data to 
place it in the Comi|bri; fojrmat before storage in the 
buffer. In such a la^e, ^eratiohlproceeds . f rom . ' 
Step 608 to. step 6l| .^nd .then to Hep eil). m ' 
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Step 612, absolute dbuixt data is converted to delta 
count data. In steri eiO AllCount ftiode data is 
converted to terinin'e|j. :COunt mode- d^tta. Once the 
converBion to termirij^l count mode diata is completed 
operation proceeds tsp "step 614 whe?f!ein' the resulting 

• ■ . 

data. tabXe is stcredfi in the buffer^^l73. 



If in stej^j 608 an nlMatrix table xs received, , 
the absolute count <^ta heeds to be converted to delta 
10 /count data to place' lit in- the commSh format before 

Storage in the buffj^'i: ;173 . Note that- terminal coumt 

conversion need not^^e performed siince application 

"Vi '• " - • 

layer conversation ishformation is riot available in an 
, nlHatrix table.- in |ptep 608 when M:n. nlMatrix table is 

15 received, operation^roceeds from step 608 to step 612 . 

In step €12, absolutgje ; count data ie converted to* delta 
count data. Once ta:e conversion of- absolute count data 
to delta count data'|:lLs con^leted, operation proceeds to- 
step 614 wherein thd^ resulting data table is stored in" 

20 the buffer 173. :| * 

If . in ste^j eOB • an -nlMatrtiixTopN table is 
received, .the data fWialready in dielta count format. 
■ In addition, termin^p- count conver^eioh need not be 
25 performed since app^ii-Gation . layer . jconversation 

information is not "^ailable from itihe received 
nlHatrixTopN table.:'.}] In step 608. v^en an nlMatrixTopN *. 
table* is received^ operation proceeds directly to 
step 614 wherein th^ received dataji^table is stored in 
'30 the buffer 173; * ^1 ^- 

: " .' . I i - ' • . ■ ■ 

■■ . ■ " ■ ■ ■ i'- ■ t ^ " : 

■ ■ ' ■ ' ' i* ' ' " ' ' ' ' ■ ■ ■ ' ' ' 
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From step ?B14, opejf-ation proceeds to step 616 

■ I'i . . ■ ■ • ■ . . ■ ' 

wherein a • determinataon is made as ito whether or not 

• ■ * ' "-fx 

there are any remairfing probes, from; which data needs to 
be collected. If tl|^re are probes .remaining, from 
5 which .data has not i^^en collected, jbperation proceeds 

from step 616 to st^^ 606 wherein the process of 

collecting network traffic data from the next probe 

' - . ■■" .'1 ■ ^ 

10 ^ If, howevdlf/ .in. step 616 'it is determined 

that there, are no inc||re probes from^which data needs to 
be collected', e.g,., lkt is determined that network 
traffic data has be^p collected, pa^^.ocessed and placed 
in the buffer for e'^ph of the probes . identified in 



15 table 169, bperatiotiS proceeds to. step 618 wherein the 

V . ■ . . 

data collection and |^onversion routine 600 is stopped* 

At this p'^llnt in time, the buffer 173 

• ■ 

includes data.table|3 for each identified probe 127, 
20 137, 147 corresponding to the just -icompleted data • • ' 

collection cycle, . a] - 



- • € 

By. the time 



the data collection and 



conversion, routine -^00 stops, data =' from each of the 

'"M 

25 network traffic proipefi 127/ 137, 147 will have. been: 

converted, as requiii^ed, into: the common format used by 

•ft • • • . - ■ 

the system of the pifi^sent inventioxi and stored in the 



buffer 173. The buffered network traffic data ex^isting 
in a" common f ormat J|ay then used, ^.g,,' in the • 



30 subsequent generation of a database of network traffic 

inf o2:mation / U 

. . • ■. •I '. • ■■ I ■ . ' . ' . 

• • ^i' • ■• .' V ■ ' ■ ' ■ 
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The data ci^llection and conversion 
routine 600 may be :|y-executed, eacjh time it is. desired 
to collect network traffic ;data, e.;g., periodically at 
30 minute or* hourly-%nter^4ls . To i simplify absolute - 
count data to delta/'feount- data conversion, in one 
embodiment, .the peri|>d be.t^rfeen dati collections is. 
selected ' to match t^ per^iod ifor wliich the delta count 
is to be generated, i-^. e, the delt4 count represents 
the network traffic;^etec:ted'; since i the last time the 



■•'in 



V7SLS retrieved. 



' network traffic datdif itable 

Fig. 6B ^^^^ additional ^illustration showing 

how received probe icfeta, :iii the. form of a network 

'' traffic data table, ••"^s processed by the data collection 

:fi: - } ^ ' . ■ ■ 

and conversion routShe 600; to generate a network 

traffic data table :e|iO iri the desired : common data 

format (with the nl^trixTppN and ^IMatrix tables of 

course lacking 'the tl^sired;but unavailable application 

layer information) .;|^The .five possible input data 



624 and .62 5 -^^re. shown on the . left 
ovals 630 and- 632 represent 



tables 621, 622, 62^1,^ 

'if I 

side of Fig. 5B. T^fe 

• * • " ' 
terminal count conversion and delta, generation. 

■-.fi' 

operations, respectively.; As illustrated, the 
alMatrixTopN (Termin^U Cp\int Mode) and-.nlHatrixTopN data 
tables are already .;^ the desired pommon format. Thus,-, 
conversion operatio^Ss need: not be performed on input 
tables 621 and 625, 



However, i^p place the* alMatrixTppN (All Count 
20 Mode) data 622 in tlae common; data format the ter^nal 

count conversion op^ation^ 530 is i>erformed. 

y? - . ; • - - . - " ■ " 

• • . ' ' '. ■ ■ 



■3^ 
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To place ^iMatri^ data 633 in. the coramon data, 
format, both the. de3^a generation. c|peratiori 632 and the 
terminal count conv^|:sion operation 630 are performed. 



10 



30 



To place ?^atri^ data 6^ into- the comnon 
d^ta fonnat the del^ generation • ©iteration 632 is 
performed. ;J . . T 



Th\is, by. :S^rf ormi^ng delt^ generation 
operations, and/or t;;^inal| count c<^nversion operations, 
it is possible to c<|Lvert data tabies 622, 623. and. 624 
into the desired cb^on daia formati- 



1 



In . accord^ce with an ex^nyplary envbodiment of 
15 the present iirventi^, 'thelconverslon of absoliite count 

data to delta ■count;jiaata may be performed .'in accordance 
^ with the following :^^emplarv pseud^ code: 

Begin (delta com^P -generation operation) 

l^tJ^'^^-^Z^'^ ^^^^ ^^^^^ <3lata received 

x r om . tne • probe r . ; 

• * Begiii|kf . l;" ' . ' 

25 •* - 

^.#^°5® data table received from the 

•|5^-*=*he in; the temp^^rary data table storage 
■/mocation associated with the specific 
•■^robe from which ih© <aata being processed 
:.:^as collected; v 

theijdata incl^ided in the data table as 
vf^elta- d6ta; . ' ' j , _ 

. end" ii; ■ •■ ' - /[ 

else ;*f^ ■ { . . • 



;;.|retraeve the previously rstored data table 
rffxom. the texirporary daT:a table sto-age 
40 ' ■ vmocatiori associated with the specific 

::torooe froni which' fche data table beina 
:ltprocessed was collected; 



:•*.■>> - 

M 

/, - 



4- 
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-I? ■ ■ V 

,f : .-41-- : E. 

. . . i; . 

■ • . ■ tl' ■ ■ ■ ^ . 
v.&tore tiie most; recently collected data 
^::.|[:kt>l© In said temporary data t&ble stoxaye 

. .-.v^ocation; . 

■ - • ." " i ■ . 

vvitrozn the entries in each row of the most 
r^ecently collected data table, subtract 
;:.^he corresponding ^packet and byte cotinter 
iV^yalves obtained f^om the corresponding row 
;:|pf the table retrieved from said temporary 
. . V::^ta table storago location, the resulting 

.;=ji>^cket and byte c^w.ters being the dielta - 
vyteoxint values for t:he network traffic table 
•^iiS>^i"G generated; ■ and 

15 ::;p;ricorporate the generated delta count 

■:vS7^alues in the aetWbrk traffic data table 
^ -^/liipoa Which the* conversion operation is . 

:':;.j|jeins perfortried thereby replacing the 
•:.-||ibsolutG count vaixiee from which they were 

20 ^^^enerated; • 

' ' "C- • ■ ■' h 

-rf^scard the netwo|:k traffic data table 

c'lretrieved from said temporary storage 
. {V:^ocation; f • 

25 , . . ■ end . . I 

end (delta count itineration operation) 

In the ps^do code set forth above, the delta 
time interval is th;i^:time interval ^between generation 
30 "^of the retrieved t^p.es by the pro^je which supplies the 
data being processel^ll- f- . ' ' 

' ■ : ■ S; • • ■ \ -t: 

v|;- • ■ i..- ■ ■ ■• ■. . 

As an exa^le of -a delta^count conversion 
operation consider :-;&at a coxmter in a table 

35 corresponding to* a ^^eci'f ic prpbe. |iad a value of 100 

the first time the ;-^ta table was Retrieved from .the • 
specific probe, a V-^liie- of 400 the|next time the data 
table was retrieveci:i£rom the same .probe and a value of 
600 the third time ];^ta was: ' retrie-jred fr-om the probe.- 

40 In such a cese, th^'.|delta counter value generated in 

accordance with th^^|converBion process, of the present 
invention . for . the i|^terval corresponding to the time - 
period between the 0irst and second probe- data 
retrievals, would b^jpOO and ' the : de|ta counter value ' 

■ ■ ■- ■ .■-i;- -.. ■ V 1--, : 

■■ • m . ■ • . ■ I ■ ■ • . ■ •. :. ■ 

■ ■ '3:. : ■ t ■ . .. •• • 
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generated for the ^cnd time inte^^.al: .corresponding to 
the period of time .i^tween the ; second and third prohe 
data retrievals woxip^ be 200, . *. r 



The convei^sion of all mode count data, to 



terminal mode count^l^ata is required to convert data 

from alMatrix- and a^atrixTop2SI ' (Ali Count Mode) tables 

into the common for^t used by the ^apparatus of the ■ 

present invention. |^he ' conversion process of the 

present invention ai^x;imes that the ^^data in the tables 

has already .been cbi^erted intO :delta count values if 

• *^ * ^- ' 

it was. not already delta- count format* 

■ ■ • 

In accordii^ce with the exemplary exii^odiment 



15 of the present inv^ip::ion, the conversion of all count 

mode data, to termirli^ count mode dlita in step .610 and 
- . the terminal count -^nversicn operation 630, involve 

performing the step^/set forth in the following pseudo. 



code: .|; 

.... t:. 



Begin {Conver9ibri;:|^f All Count; mode date. 
• to Teminaliifibount mode Data.} f 

25 For each i£a^yidual .convex sat on foar which there is . 

data in the:&ata .table being processed dov ' . 
Beginl(do) ' | 

tetermine the ..protocol hierarchy for the 
ndividual conversation; 

30 • . ' -. - . If; .. ■ . : !; ■ : • ■ . •^ . : ■ ■ 

tar ting at the network's- layer protocols i 
Ivlisubtract the counter \7a lues . for each . 
V::f^irniediate" (existinsr) child protocol, from 
'-^the- child protocols inunedi ate- (existing) 
35 v^Pparent counter va:a.ue .aiid. store the result 

:i;|ias the parent protocol ' e terminal ' count 
" • j--.^ounter .value;' ' ^ 

iji^epeat the preceding step for.. each, child 
^0 -v . , - - . . • i^iferotocol until thfe entire protocol 

:f?^ierarchy .has ;beeh traversed- ■ 
End iMoY ' ■ l. 
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10 



15 



20 



25 



Si- 
■mi 



J 



single conversatioji^puid be c6\mt^ in the various 
probe table forma tJ^lg^are based 9^1 .i|ae feame contrived 
exarnple conversatipll^ . ^*ie byte ■ ancj- pabket counts for 



the example conversation, 
tiine period, are se| 
accordance with th^^ 
would correspond toij 
MatrixTopN tables Wi 



for one ^em|)lary raonitored 
forth below iti Table 1. In 
resent invention,! the time period 



he.: cime pe 



e GOTif igured.L^: 



irio^ fox which - al and* nl 



In the. f d'^^pwing example j;conpersation, in the 
monitored time inte'i^al.-.; reflected dn l^ble 1, the 

-ess 123.45- 67. sfe was . talking to 



device with the IPii* 
Che device with IP 
packet and byte co\ 
to the conversation^ 



idresB 98 . 76 . 54 . 32| and the listed 
is .were seen b^ a probe in regard 





Packete i 




Bytes 




50 t. 




\ 5000 . 


IPMCF :. 


20 :r 




f 4000 




200 ^; 




f 300Q0 




10 ? 




[ 1000 


IP/Ul3firSNMP 


120 •■ ^ 




[ 10000 



TABLE 1; 



The . byte :vrlirid /packet cbunts dpx the exarrple 



conversation ' shown : 



Table 1' include Jonly the 



monitored protocol^l^hich were* ishq^ i|n the example 
hierarchy discusse^;^ariier in reglird Fig; 3 * 



ihat Table 1 refle<i:;fs that the moilitoi|ing of UDP 
protocol has been t*^ned off inhthe pJobe monitoring . 
the conversation • :;';|jls6 note , that :S.n Table 1, e,g-/ 
IP/TCP represents g^l those pac3cet| whtich could only be 
decoded by the proi^;a^: far as- th^| IpiTCP protocol . - 



Note 
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the IP /TCP count .cLd#V riot inclufe .%e IP/TCP/FTP or 



IP/TCP /HTTP co\aiit.s.-; 

Examples 
Fig. 6B for each of;; 
formats vjill now be; 
discussed exemplary 



the proc^^sirfg performed in 

i-he :five p6j$aii>le input, table 
iirdyided .ba|ed|on the above 
|:onversatxojl- ■ ] 



10 



15' 



20 



25 



30. 



1 . 



alMat:i^^TbpN {Ter:ni^ Coint Mode) 
Tab Ie-:#irocessinc f lExaitfele^ 



i 



(Terminal Count Moc^i 
all the known appli 
them, using delta 



As discus'^'d :i&bove,. tSie -^IHatrixTopN 



table monitoriS cbnversations at 
itibn-l ayeirXprc5t0c.pl s, and stores 
Iters, in: a t^le'l which is ordered 
by the packet or b^^ counters^ ^dejienc^ng \ip6n 
user-conf igtiration):?^:- 'l^e coxmt^rs |;in ithe alMatrixTopN 
(Terminal Count Mod^; table work i^ .Te|rminal Count 
Mode, and. so a rnoni^red- packet^. increir^^^ only the 
counter of the "hi^i|5st-level proloco^ used, in the 
packet. 



In this e^irrple, we Will|assluine that* the user. 



lias-, requested i^had .the table be 
counters. : .i3^s. i.-phe jcounters xxx tha-s 



(or client- programj:| 
ordered by the byte! 

table, work in Termini- ^Count Mpde,;|th0 200 IP/TCP/FTP 
packets, f or exaihpl^*' ihcr emend, only the TP/TCP/FTP 



packet counter by 2@0 . 



AS a • res\^3 



:.the alMatri|cToplC (Terminal . Covint 
Mode) table for th^^fexeir^l'ary -cbnv|rsaition of Ti^LE ' 1 
would look like tha^. ; 
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Network 

Layer 
Protocol 



IP 



IP 



IP- 



IP 
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Source Address;^ g Destination 
;: Address 



123.45.67.89 



123.45.67.89 m: . ^8.76^4.32 
123.45.67>89 M:^- QR^fiTT^ 



123.45.67.89 



123.45.67.89 



98.76.54.32 



98.76.54.32 



08.76.54,32 



lAppjiicatio^ Layer | Packets 
^Proto^I 



JP/XJDP/SNMP 



IPS 



IWTCP/HTTP 



; TABLE 2^^ 



200 



120 



50 



20 



■ Byte$ 



30000 



10000 



5000 



4000 



10 



1 1000 



10 



15 



20 



25 



: Note that ithis ie ^a ^f^trikTopN table, the 

packet and byte cou^^r;: values : Jrelthej total -n^ of 
packets and bytes f§::the convejsaifion? in the monitored 
tine interval, ' ;4 



i 



;xTppN{Ter^na|. Coi^ Mbde) , the 



, For alMat 

coimtexs are alreadfeelta valuls ;|n tjeritiinal count 
mode so the table. Table; |, iecekved f rom- a" 

pxobe, is automaticplyj in the! |:oiri|on Jdata .f orinat , ' 

-Accordingly, in acc^Jdahce wltii^i Fi^. . 6^ 
alMatrixTopN(Terminp:Gount Mode jfablk would be 

■ stored,, unmodified,^!! :^the bufffer jpsj " ' 

2 . alMatMjjcTb^ ( All ; Courf t labde ) 
• y^fale^rbdessing - Sxaiiple i ... 

The alMat^xT^pw (AlM Ccf|int Mode) table 



monitors bonver satins ;;at all the i|no:v^- 
application-layer E^tltols, ai^ s|or^s' them, ueing ' ' 
delta counters:, in ptai>le whi^i ' orjdered by the. ' 
packet or i>yte covinpre; (depent4ng|ijpdn ■ ■ ' 
UBer-configuration)pThe count^s /in tke alMatrixTopN- ■ 
. (All Count Mode) tagelWk in; Allf Count Mode, and bo a 
■monitored packet ir^ei^ients th^ cp|mt^ra' for all the 
protocol . layers usef knj the pai:|ce^f | 
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||LMa:trixTop2j| {a|L1 dount Mode) table 



the inaiiitbired 
§ng-:yconnter4' f th 



protocolB 
le exemplary 



10 



15 









i 




: IP? i 






ip^ r 

■ -fP/tEfcp > 






: iP/3pP ; 
li'^'TCPg^FTPl 


IP/X 


3^ /HTTP 


: .xp/3fcp ^ ■ ■ 

IP/^TCPiHTTP 


IP/tl 


gpysNKP ■ 


■ :i 2^. 



^ TABLE 3.;' 



This meem^fehat, for 



the 2 0.0 



IP/TCP/FTP packets a^^rement the IP^ the IP/TCP and the 
-XP/.TCP/FTP packet .cc^t^rs .by 2cio 



- -v 



Note that the lP/UEP pcrotbcol ie not being 
monitored in this e^S^friple by th^ prjbbe^^ an IP/UDP' 
counter is not maint^i^ned. Accc^difcigly , packets - for 
the IP/UDP/srmP protgfeoi- do notn?inc|rei:ient an IP/UDP 
counter , 



In this ■ 
20 (or client program) 

ordered by the byte 
in All Count Mod^/ -tJ 



nple, we Willi i^sBUme that the user 
is>> -requested t|tiat i the-, table be 
:j?unters. .Sinp^^: tljie counters work 
.^"200 IP/l?G>/i|rp - packets increment 



the' IP, the IP/TCP, the IP/TJQP/f^TP Sjacket counters * 

by 2 00- ■ ' 



1 1 

■ 



' >-: 
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table would look li 




bvt. • ' 4^ Mahr^xTopi. t^bl^, .th^ packet and 

^yta counter values th. tot|l *:^4r of paOcets and 

bytes for the convejation in tjle ^a^^^^. 
interval . 



10 



lation in tile jrlanitored time 



15 



.In order 
^odej table in the 
present invention, 
operation is perfoi 
follows : 



ppilace the|&l^trixTopN(All Count- 
^'^iected coin:r|onj^or^t. used by the 



l^erminal equiit| conversion 

on the v|lu^. table 4A as 



Protocol 




Packets ' * 




. XP • 


XP - lP;*rDP/SNMP - 


• 400^:- 230 - 

:^ :|i20:i 

:h sol ■■ 


50000 - 10000 - " 
35000 

= sooo 


.XP/TCP 
XP/TCP/PTP 


xp/rcp »IP/ TCP/ftp" 

- iPOTtP/HTTP 


1 ;# 120 • -.7 
/:;230(l- 200 - 


= 10000 

35000. - 30000 - lOo'cT" 
= 4000 


r IP/TCP/HTTP 


- Mte ^1 h — ^ 


^ 30000 
= 1000 



TABLE .4& 
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values aire now deltag 



After terrtjliial count QPnvfersion-, the 



terminal count mode' Si 



co\i2>ter 



cVDunter vaXiaes| expreBBed in 



iprmat, givihg the if ollowing table. 



i 



■ X«ayer ' 


Souarca |3 

f 


Peistsixia^lon 
i^: AddMsa 








IP 


123.45,67.691 


bs. "76. 54-32 




50. 


5000 


IP 


123.45.67.fi9^f 


38.76.34.32. 


:j EP/TCP - 


20 • 


4000 


IP - 


123.45.67.89;?8 


;3 8-. 76. 54.32 


XEg'TCPs^PTP 


200 


30000 


IP 


123.45.67.89*!! 


:98.76.54.32 


:v. IP/JTCPy^KTTP 


10 


1000 . 


• • IP 


123.45.67.8 9:3^ 


iSB .76.54.32 


H IP/UDP/SNKP- 


a2o 


1 10000 



}0 



15 



20 



25 



lis: ■ 5 f • ■ 
I if : TABLE 40| . |: ? • 



Since the fkii^itored piiob^- daia is now in the - 
J desired common forma^v 'Table 4C;:;,is '^eatSy for storage in 
' buffer 173. ■ |.| : ' :.| f \ . 

I ■ 



alMat^^is^ Table 
Procesjsihg Example: 



The alMatap-x -table monitors conversations at 



all the known appl 
them, .using absolut 



►pi ii^it ion- layer ;|pr c|t oc 6 1 s , 
►lut-J* bdunters, :.£n aj; tai>le 



and stores 
which is . 



. ordered by network- Eaj/er protocp;!, ^source and. 
destination addressSsj; and applicatfionf layer protocol, 



The counters in the'||kpLMatrix taBle |worfc in All Count 



Mode/ and. so a moni^ired packet ^increments the counters 

^' •'• ' '■ p ■ • ■ ■ - 

for all the. pro toco|.i layers U5e4 in th^ packet. 

§5- ^ • ' P ^ • • ' 

M' ' • ■ • ■ i • ■ • ' ■ 

Since theia^lMatrix table ivzorks in All Coxint . 

.Mode, the monitored^tearotocols iscr^enfc the counters 

. ■ ■ ■ if ■ - ' ■ R ■ i • ■ 

illustrated in Tabli;:3.'. 



it 



It . 

C' 
f:. 
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I 



t|e alMac^rij^; table would .look 





Protocol 


Source .-|!| 

■ . ;ii 


l-i : ^ 


• v 

:l- 
■i 

■i- 


:&otoj5el 


Packet 0 


Byt:es 


XP 




198, -^iS. 54. 32- 


-v 


■ IPf 


1 1200 


150000 


IP 


123.45.67,89i!< 


198 •7:16. 54. 32 


1 


.HP/TCP 


It 690 


1000000 


IP 


123.45.67.89M 


198,7^6.54.32 


ft- 




K 600 


90000 


IP 


123-45.67.69311 


198. '16.54. 32 




IP^^I.TCP/HTTP 


1 '^^ 


3000 


IP 


123.45.67.831^ 


:98.746,54.32 


If 


IP|OTP/SNMP 


1 360_ 


30000 



Assiiming orife :£^eviousl^ " r^etrxeved . alMatrxx 
Table from the same i^bhrob^, was 4s . fiollows : 



10 



15 



20 



- Irsiyox 
prococol 


Source II 
Address iz 

MM ii^Jil 


ipest^natioiL 
LV .Adioress 

.-^.^ 


J A3M|>licatlon || Paekata 
\ iiay^r | • 
i i^^t^ol 8 _ 


Bytes 


IP 


123.45-67.B9d 


^98.7?6.54.32 


. s; li^ 1 eoo 


100000 


I? 


123.45.67.89tHI 


]SB\7}€ .54.32 


:V .^tP/TCP • 1 460 


965000 


I? 


123.45.67 .BSSg 


!98. 716.54.32 


i- II^/TCP^/FTP 1 


400 1 60000 


IP • 


123 •45. 67. 8^ 


r98.1^6.S4.32 


? IPyTCP^KTTP- 


20 


2000 


IP 


123.45.67,BaT: 


:98.?;6.54.32 


1P?UDP/SNMP ( 


240 


. 20000 



For. the a 
are absolute values 



Accordingly, to plaGj 
desired corranon fo: ^, 
converted to delta 




• ■ ^' ■ Jr. • ] ■ , ■ ■ • ' ' 

trS-x Table 5Jfc t?ie counter values 

• ' ■ ■ ■ 4 'i; i ■ • ■ 
espnted in al^l count mode. 

tiie alMatiix.'^able • 5A into the* 

; 1 - ' I- • ir j ■ ■ ■ ■ . 

ajti? t|iie counter '^val^es xnust be 



Lilu€3 and ail dounk mode values 



need to be converted: ito germinal cqunt; mode values, 



In accord|blc:e il'ith. th^ pj|ese4it invention the 
first step is the g|hi^a|:icn of 'i!.de:|Da Values. 'This, is 
done by subtractingpiihe |:oimter^:va^^ the ■ alMatrix*.. 

Table 5B, which wa6||r;fece^ved during^- th^ last -collection 
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I. 1' , 

* *->,« :v.f.orresT3oiitij:«M <»unier values foxinG 
operation, from the^jcpif^f ^PP^"-^-^^ 

in tbe ^st: x«ccntl|i |e4i>^ed ^|Mat|ix. Table 5A. 



Tai.le 5B. my be obi.iiri^d|f r^om t|e t^i^porary data table 
stcas. located in #|or|-^:^^' resulting table 

Table 5C, which inc|uaes|the delta |ral^es generated by 
thJ subtraction ope|aBio| is 8h|m|>el^: 



I 



z»ay«r 



1? 



Sourcft 



123.45.67-891 



IP 



ni23.AS.67.B9>i 



IP 
XP 



123 .45.67 ,Bg^ 



123>45>67 ,89^ 



5t-. 



IP; 



:Sa. 7^6, 54*32 



:^B.?i6.54.32 



Packets y Bytiee 



1^ Ig/TCPygTP 
XPfTCPjKTTP 



I. 



400 . B 50000 
230 I 35000 ^ 
"200 30000 



10 



1000 



10000 I 



10 



After -dell^ccjoit <=ori|er|Lon| the'values in 
Table 5C still need|4'4 ^i"^ 

Terminal count convlrSiol invoifes SperEonning the 
subtractions shown ^STafele 5D.^;. ^: i 



15 



protocol 



IP 



I?/UPP/Si^P 



IP/TCP 



IP /TCP/FTP 



IP - ISyUDP/SWMP - 

it/ircps 



_IP/gDg/SNg£_ 



IP/TCP ?EP/'^P/?7^ 
■ - .i?^frG?/}#TPi„ 



IP/ TCP/ HTTP 



IPg:TGP/F^ 

iP/-5^pym^p 



*400f- 23 0 - 

•ft" ■. 1-120 i . 
^ - 1^ sot 



it 120 



:|230|- 290 



ii^: 10 f 



50000 - 10000 * 
35000 
^ 5000 



= 10000 



35000 - 30000 * 10.00. 
= 4000 



f 200 



xoi 



= 30000 



= 1000 



I 
1 



i 
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The termij^^l^" g 



I 



t CO 




I 



I It' 



operation 



Source 
Addre«a 



123 .45.67 ,39^ 



123.45.67 



123.45.67.8£g^ 



123.45 



123.45.67>8%^ 



oa ^A.:^2 fc kv/ntr^ 



Bytes 



.54.32 



98.m6.54.32 



IB;. 



y/FTP 



98 . k . 54 . 3 2" ^ IPyTCP; HTTP 



A© Table ^|is|.now in|:t:h| canmon data fbrmat, 



i.e., with counter. iaiu€i/expre|se4. as; 
values in terminal 'Ibiintl^inode,-::. |*ab|e 5' 




delta counter 
2 can be stored 



in the buffer 173 



■ v*. 

M 

nlMat|ii:|To&lNJ Tabl| 
. Pr o c eMb Ingf/Bxaiiiplf ' 



It 



I 



The nlMatfe>i^ci)N tabl'^ rn|nitprs convereation^ 



I 



at the network-lay^, iprc^bcols |!^^^' stores them, 

using delta counter^> | ir^ a tablg wi|icrf is ordered by 

upon 



the packet or byte :^otintfers ( de^en^inc^ 
user-conf iguz:ation)-.|i^ i-^ ' ]. . i 

The nlMat?^'ixTc|pN tablfe- m|niti>rs only 
•-p^ ^ • I ' ' 1 ■ 
network- layer prot6io.|.s| and • ^4 will consider .all of 

the packets ^iven i|i ex^nipl^ryicor|versation to be 



I? packets, and 'so 



stored >t*JDle' wciald be as 



1I:DMB _i5|35 i4iJlii5i.??!l_:l:„ 
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10 



15 



25 



30 



.- I: - . , ! i ; : 










IP 


123.^5.67 ;^iBt:9 


96. 7^1.54^32 | H 400- II 50000 



3' 



Note that^^ ^^l^i^ 



packet and byte cou|j[fcer yalues- .|.re .|the 

•;-^v - - ' ■ > ■ 
packets- and bytes fgr 



thfe convelisaJion 



M^trilcTopN table, the 
total nuiriber of 
in the monitored 



time interval. Sinlfe' thfe couiitir -A^alu^ss in the 
nlMatrixToDN table -^re already felta cbunter values, no 



conversion processi|tg: ne^ds to ^ 
nlMatrixTopN table i^ is re|dy |for; 



buffer 17 3 as retrieved 



nlMatrpix T. 
Proceljs inga^ Exampl 



11 



lerfprmed on the 

storage in the- 



The. nlMat^lax t^le mbiit|r"s fconversations at 



the network- layer ppoto 
c 



Is- orily. |lt fetores the 



ounted byte and packet |.nf ondalio^,. using absolute 
count values, in a >E^bl€| which' |.6 6rde|:ed by 

■ 1 ■■ ■ I T ' 

network-layer protojEbl a|id source ^nd ;aestination 
addresses. - ll^ 



i 



rl 



As the . niMatri|c tablelmo^itdrs only 
network-layer protdj^bls,! it wia|- c|nsiaer all of* the 



packets given. in 



packets, emd - so the|Jb-torfed tab:lj 



S exaiTtple conversation to be IP 



W9uld 



Protocol 


source Addaoiiiffis 




kSB )| fraa3cet:« 




IP ■ 


123.45,67^89 


f 98:76. 54:^32 1 


11 1200 


150000 



TABLE 



look .like .this i 
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Assuming 



e mbst rec 



nlMatrix Talkie £ronV|p 



same pxqbe 



IP 



-Was 



ously retrieved 
as follows: 



123.45, 67 :Jg9 



^4 



98..7g^54B2 



TABLE 71 



.3! 



In order jl^; place* th:e|btilW^tr:.x table in the.. 



(iesired common formi|t; a 



oerf ormed , 



delta^^: eon^fers 



This iriltiSiblveis subtractamg' the co\inter 

• w '■ ' ' f ^ ■ ■ ' 

values from the cur.pent hlMatrix T^le; 



corresponding count^ - vap-ues in |th^ previously ■ received 



BOO 



1 1 Byf * n 

1 10000 1 



on operation is 



7 A from the 



Table 7B to generat^- a tiable as sif olalowp 



Protocol 


Source MdaqlBina 


fDestinatibh Jg^didrcj 


SB. 1 PBcka^B II Bytatt 


IP 


123.45,67 


\ 9S..7€;.54 3;32- i 


11 400 11 50000 



t. 



TABLE 7 



I 1 



format with delta cp 



values , 



isince Tabled' 7(i . is nbwlin^thei 

^t- i 

storage in the buffer:- 173 

• • • • i. ■. V I 

As the repalt \pt th0; |.at^ co; 
conversion routine^jdiscussed ;;abov^, ■ t 
the buffer 173 is the commonl. format 



desired common 
3 ready for . 



;in geriel-atlng 



suitcJDle for use, . e^ 
database- 

Figure 7. ;^;iluatrate6 |iow|th^ 

data 701, 703, TOs Jifirom the filstiti 

■ ■ ' . ) . • '.' ti * 9 ■ ■ 
respectively,' plac^ ah Ithe biifierliys 



l.i 



Llection aiid. 
le. data placed in 
rendering it 
network traffic 



network ; traffic " 
thr|Du gh third probes 
can be ueed to 
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generate a network J^4fffc datal^as^ 70 



vrith one entoodirvcnfc^f tine .present .|Lnv|ntioii. the 



network traffic, datjioij, 703, i05 |Ls irocessed by a 
database generation^4<3 maintenance roiitine 700 to 



gerjerate a . database'^ 07 . 



In accordance 



art . databases 



which do no 



L.CIUC%9^ W r w**,!. — --'Y i -* • 

t inciudte^ata sets 'Ot different reEfolutions 



which overlap in ti^j the data^as^ 70| includes 
multiple resplution^of ^:he sam^' d^a ;.n parallels 
e.g., in hourly, 6 ..^il^rly, . dailt/ ^/eekly data sets. 

in c6*rr^Bpo]iding FIFO data 
^ct: 



These data sets are|!' 
structures 709, Tlli^i- 713i, 715, 
database 707 inay be^stored on t:|ie 4<^ta 



device 158. 



; .vely . The 
storage 

i 



The. paral||^i> iTiulti--r|fSO^Jitiim storage' method 
of the present inveltionl provides k rei .atively simple 
means of managing aipietwbrk. tracfid dajiabase and 



limiting its . size w||ihou|fc . the need |£or 



and the double buffering: often' 4"ssc|cia;:ed with such 

■ ■ p ; • • r I- ■ ^ 

pirocesses. II: ?. ' ^ <• 



While the|^oiint of . p^oc|ssi:ig required to •: 

create and maintaiiilynial^ip pairal^el 'Sets of. data in • 

different resolufci6|p5| ir^y^ be * slf-gh|ly J jreat^^ 

systems which.- do. nb^; iise parallel sets, the 

processing associated: wijth crea|:in^ sujA a database is ■ 

more constant than ^||ybt^s whicji i:|vol;/e aging 

processes. This iS'^eca\ise thej.pejiodsic load 

W ^ ^ ■ ^" 5 i 

associated with the^gin-g x^rocefes is ai/oided when using 

■ ;*>r-- • . ■ - f ' I * ■. ■ • 

the method of. the p'^eserit invention.. A further benefit 

'*•'-.• I -I' i 
of this scheme is tPat the different rissolutions of 

kesi switching 



data are readily- available whic|i ml 



t 



* 



i 



an aging process 
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between different <3-^lt4 rfesol-uticpns |Eas 



when di splaying 
queries . 



f 



tod: or res^on^ng 



- In the ex!itt;i)lary'.einbO(^i 
disk space allocatepC to jthe datlbba^ 7 
into 4 parts and asigllgneti to' th^; f c 



resolutions : hourlyp: 6-hbui:ly, • Sai 

discussed above eacW zrow; of a d^taltab!. 

' ' ' ^ i- ■ • ■ - ■ E- ^ § 

corresponds to a mcn^itored conversant i 

i ■ :'• . I: S 

byte and packet cou^t ? inif oxmati&n • | 
information indicat^.^ • tiie/ timej'.-th^ 
monitored is also i^fciudbd in the Sable 



on 



As each row of data^s riead in. froi| on^ 
tables 701, 703./ 7dMiit' is xxB^k tl cr 



.1= 



--7 15. Within the 



iseti; 



da 



entry in each of thp pairtallel d&ta ^ 

m: ^ ■ : • i 

crated parallejS- 

. • ^ = -■■ • : ^- i 

record xs used to afijerpreiBent a cbnv^rsa 

W^- i- \ ■ : { 5 
hosts and the recoriiSr are time, ^li^ed 



resolutions hourly -jjlhl th;e ' hour 
1800. and. 2400 hrs;.^aili^ at 2401^ 
2400 hrs on Saturd^U Eiatabasef re^ord^ 
time interval can b^} -bon'sidered^.as |be 
"bucket". Thus, a ppckelt is a: ^et|of 
records for storingpaetwprk traSf i|^ ds^a 
to the preselected 



Kourj-y 
his; 



•it iOf time[-us|d 



to which the bucket^fcbrrespondsj.- | 



Fig. 8 



iJ^iiBtriates t-h^ d^t 
and mainten^ce ro^^ihe 17 00 of j:he|pr^ 



:ab? 



se generation 
ent invention in 

greater detail. T}p; p-llustrate^. r|uti|ie 700 may* be* one 



and efficient 
to administrator 



Of Fig. 7s the 
)7 . is divided 
o*ing fixed 
a|id weekly. As 
e 701, 703* 705 " 
and includes 
stamp 
cojiversation was 
S.701, 703, 705. 

of - the 
sate or update ah 
7 09, 711, 713, . 
,|:a sets, each. 
i:ion between two 
depending on the 
at 0600, 1200, 
\%nd weekly at . 
fpr the same ; 
in the same 
|3ata storage 

corresponding 
fl^r the resolution. 
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tored 



of the parallel da tM^seti genera tiorf ro4tin^ s 
in tine management: s^^tioh'is inein|xy^62| 

.The routi^Wop iseings ir| Bt|sp •702- wherein" 
the database genera^fn jroutinejis ^ta|'ted, e,g., by 
having the CPU 154 4>|id jand begf h" ' |Kec|iting the 
routine 700. Tn* ei^dinvents- wh^re fthel ro 700 is 



irnplerriented using -^^^ilpl/proc^^^ may be loaded 

• into-, and executed thk CPU 1§5 d^. t|ie same time it 
10 is being loaded ant^feiceckated byt th^ CPp i54. In a- 

parallel processingpenOoodimentv i.fche^ different CPUs 154, 
155 are normally r^^<?ndible f or • C]|eat|.ng and 
maintaining/ in paG^illeli, data* of| different 

. ' resolutions . For . ^^L^lje, CPU ^54 gma^^ be responsible 
15 for- creating and. mal^ thp* h|iirl|^..and 6 hour - . 

network traffic dal^ ^etis whilB|;th| c4j might be ; . 

..jreBponsible for cr^ta.ng| the da^ly|an4-vjeekly network 
traffic data sets. ^ • i . ■ ' I- | a • 

20 ^ . For the ^^js 'simplici|y tpe following 

discussion will as^^fe that the^ro^tirtfe 700 is executed 

^ \'- ■■ £ ^ 

by the processor IS^-.:^ However; ^:it|■is ^o be understood 
that, as discusfied,^bv0, multi|Tproces^sor . - . 
implementations ar^^ppssib | | \ 

■ ■ ' ' '9-1 \ ^ I- i I 

Operatio^^V^^eedfi - fr'^ih. |teE| 702 .to step 704 
wherein the. CPU 15^'Ciredtes hou^lyl 6 Ihour, daily and 

• ' • ^ ^ ■ ' - i J 

weekly FIFO data st^u/ctUres on[e fp>r ^ch of. the 
different data set^ejsoiutrons [to |>e Supported. 
30 .Step 704 may involl^'/^ .efg-, allloca^in^ data storage 

records to . serve ^^buckets* - :r}or -^ai^ple., the. hourly 
FIFO would comprise^sf plurality of I buqkets each 
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.corresponding to a hj^ur. period |of |:in\e» . Each 

buc}cet may Include i^veral retiofds ^r entries' each 
correBponding to a ;:^fferent Go:iivei|sat3Lon/protocol 
pair^ The daily F^M):; would cbin]^ria^ a| plurality of 
buckets each corresg|)ndihg tofiaidi:^er4nt one day 
period of time. AsM^illi be discussed below, as time 



progressesv each b^:#et in the- |*IFc| isf filled* .when. * 
all the records in F^lFd arej:fi|led| the records in 

the oldest buckets overwritten |the|-eby insuring 

' that the process cd^ continueriafte^ thi available * 
storage space - is usIkI;- ii ; i? \ 

■■'•*• y ■ *^ ■ ' ^ I I ' 

Once the miFp idata. str^cliiree are created in- 
> step 704. operatioiij^roc^edB" |o|.Bt4p 7|>6. in stej^' 706, 
the buffer i73 ' int^i^hic^ colle|;te| ne|:work traffic . 
data is placed, . ia ipshidored Jo^ n|two|rk "traffic data. 
_Upon detecting that^et^ork t|ra^£i| 'daj:a has been ' 
placed into bufferj^3. bptera|i|>n iltocfeeds to step. 708. 



In step 708. the timp Stamps a|si»ci|ted| with the 
20. buffered data, are "^Linii^ed: |nj;st^ 7|lo , the buff ered 
network traffic datj.. is |as.sig|ek t|' bef included in 
individual buckets ^Uhe FipI ^tr|ct4-ee ' as a.' function 
of the examined tir^ st4nps Z ' | Tjiue| da|:a is . placed ' in ^. ' 

buckets, ^.g.; set ^rg|rpupB|oiE r|cor^s corresponding 
25 to the basic unit <^ tiuje ..sup|>oj?te|, a| a function of 

time stamps indica^b ' t^he- ti|ae|pe|iodj in vjhich the 
network traffic ' wa Aibniltor ed[ [jAclorc^ugly , data 

collection ^d. rep||:ing dela|rs|;eh|ounl:ered by the 
management station^O 4° no^ nfega|ive|Ly impact the V 

30 . accuracy of the.. cr^ed !netwc|rk! tr|f fit database,- ' 

■ ■.. .. m:. .1 . .1 V. - I ,1 • 



1 .1- 



2B-Q5-aB - 15:35 



+44 114 2?? 0931^ 



FROM : ROBERT B. FRANKS 



R-507 



PHONE NO. : +44 114 268 0931 



Job-i4i 



May. 28 1998 04: 10PM P6' 



10 



15 



20 



25 



30 



%1. 



11 
4i ■ 



Steps 712^^14, 716 



718 ||A*Li|:h are 
.lluetrated in para^eX repre|e^^ |he ^pdacixx© of 



records included irifeiie hourly, lei 



i holirly, daily and 
weekly FIFO data stpi^tures, |^espec^iv^ly , using the 

t&iraffiie datl^ " 



same set of networkgferaf f iie dati 



|pte|s 712, 714, 716, 
h parallel i:to:|9how that they may 



[■r^y-i\mozh CPUS 154, 155'. 

i 



718 are illustrate< 

be performed in parl|-lel by o|Lie|pr 

Operatior^>iroceeds fr6m f^^p^. 712. 7.14, 716 
and 718 to step 720^rtierein tj^elidaia o|>tained from the 



buffer 173, used tqmipdate . th^ hou: 



daily and weekly records^ is ^^ele^ed; Operation 

then returns to mon^bring.- stfepj;7 0tp sof that the 
database updating "j^pbess will te jJerfLrmed on a 
continuous basis iin^i/ e.s.,pt|ie ^ianapement 
station 150 is pow^eci off- orOrfesejL I 



As a simji||e> exaittplej^ o|E t 



Ly,|si:x: hourly. 



;e g^eration of the 



hourly and. 6 hourly^ 
e: illustrated in Fi; 




ta- eetB[i pon|ide|c hosts A. through 



as copnp|jte$s 2|L, .22, 22, 31, 



32, 33,. respectively.;' .The. boitejs il Fi^. 9 represent 
database records caTL^^ted from] tjraffic between hosts A 



through F, Dashed -rmhes are itisfed- |o.. ilidicate different 
hourly time period^Dl, 9:02 903 ,.|90^ 905, 906 and a 
single 6 hourly .tiiM. period 9iL0f^. \\n F|Lg. 9, the range 
of numbers at the t^>|.of eacl^l tkmej jperjlod is used to 
indicate the specif^M hour- or^j hour j | in|::luded ' in' the 
time period, the fd^-t and-.se^o^d j jettfere' ;in each box 
indicate the two h<^tfe ' involved; in! jth€| monitored. - 
conversation- Xn ^tiition, t|ie[ nuiaber| in the box 
indicates the- numb^ bf- packets! ;exihar|ged between the-, 
.indicated hosts . du:|ing the ih^ijc'atid ^me period. 
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' The first^ 



Two conversations W^re detbctfedj du?;Lng| this first 



hourly time period. 



devices' A and B whi^ 
conversation betweei! * 



packets. The nuiribe 
n-mhber of packets, 
the database 707. 



Note that^ 



resolution data set^ 
906, corresponding 
periods' and the 6- 
corresponding to tii^ 



-^604! 



burly:' tiiafie Ipe^od^ beginning' at 



\ 

'il- 

i: - 

\i 



hour a t ciorrej 



oyer, ays-hour ijeripd; the hourly, 
^io has six{:"bibke|:s" / 901 through 
p; first t»irpug]|| sifcth hourly Cime 
Urly diatay set ^^as pne bucket . 910 

irtife period. . Note 
also that the 6 -hoiMJ bucket 93.o! ha| moire conversations 
and thus more entri|^-: than an^ pneilof. |:he individual 



hourly buckets 9 01: 
- in the six hotir dati 
than the hourly da 



jonfis to bucket 901 . 



;|.A first <^;0iive:feat|on between 



involved 10 jijack^ts and a second 
i devices |^ andlE wjiich involved 6 
; of bytes^ in ^dition to the ' ^ 



ay also bfe Stojjed ^n each record of 



iirough- 9016 .1: Hi wev^r , . the records 
• :set 922 ikrfe o\l a flower resolution 
set SZO.rj sand* tl4y do not include. 

detailed hourly, cor^^bsation iaai:a.|. 



In accor 
present invention, i 
data records. Thus 

not be accessed unt^'l: the recbrii i 

m ' • - ■ ■ 



bee with 5phe. dabodament of the 

jamilted to coirplete 
jdata :in m Siv§n t|Lme period may 



1 . e 



f\£Lly complete, 
all - the data .#>rpm the dys|ten^|prc|bes for the given 



restricting access- 



time period .has be^aij-.includedi tjjie c3|ata record. By 



to complet!;^q:dajia 3|ecords, the 



presentation of incomplete daltaj- coiint^ to an 

user isf! ctfvoiEed.? in other 



application or sys 
embodiments, up toil 



e minutei cfetafrredords are made 
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database despite th* 
data for the current 



- -As disc\i^ 

resolution fills th] 
:to that particular I 




i Solution;; 



11 



lents,. a user may 



^61-{] 



|St recent data I iin the weekly 
N K • H I . • . 
fact that thejicollectioTa of the 

^iweek is not yet complete, 

f i 

id above, |;a4 tl[e d^ta at a 
^'jjart of |hfe 'sj|ora|re space assigned 



,hefe|data structure used 
titular resolution 



to store the dats :2|^j^prds at feh^ 
/operates as a PIFOf|:aic:a structure. ||| Ac|:ordingly, the 

s corresponding ko the data set. 
of. the particular -a^feblution i|>^i^l ^e- rj^us.ed to store ' 
new data. The houi^wv data' se^ ^^^i® ti*. be the first 
resolution to hit databasie ^issS liiait when -the 

available storage si '^be for tlierdalaba^e 707 is equally 
divided amongst t:h^|;iEbur suppbrfeedlreslDlutions since it 
grows the fastest , ^ However , i^isren|liira.ted available 
storage space, all ilihe resoluitipnslwiia reach their 
limit- given suffidi^t operations t|ine".| .Fig.. 10 

ilary stea<ay^: station condition that 
-7 weeks ^^f| opgratjLng one exemplary 



illustrates an ex^ 
may be reached aft 

system i20'0. NOte/Jyt in ih^. FagJlO fexample, the 
database includes ^ i^'ugh stoxfagjB siacel to store hourly 
information for i;) 



days, daily info3 



amount of storage - 
resolutions. Note>i 
given system will 
which are ■ monitorei 
space allocated fo 



'bays, ^6-h[{>\4rl:^in^rmation for " 4.5- 
Idbn for d^ysitanc^ weekly 



information for 7 • ^^ks a^suirarib tJie -i^e of - the. same 




each ofl the Hif ^rent 
t- the e^tt^all^tiirle periods for a 
[end oh thel : nul fibez| of conversations 
l;'and the etc t^al^ simc^ant of s t orage 
Ithe datal^ja^ 7*37 >: 

t; .1 



il t 



• V - 
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What la claimed t'd ti 

1 - A method of ;ul 
a computer network 



'624 



. i 
r 

e ■ 

r. 
{; 



hg network [:tr#f4if data probes in 
Jacluding |aid i^edw^rk traffic data 
probes,- the method 'msfnpr is ing[i tiie ii't^pfe of: 

^- \etwork- t^ra^fi^l daita . probes in the 



detecting 
conrputer network; 

controllil 
network traffic dati 
'network traffic dati 
traffic data table! 
used with each indii 
one of the plural it^ 
s\;ipported by the irt 
closest to a preseil 
format; and 



II ! 



IgL at leas^. ^om<^ of | the', detected 
Jj pirobes tip col-^ecti and store 

; . . . .... I": 2 . I ' Z . • 



! in one oj el pisarallity of network 

^rmats, t|ie|;da<|aFt^ble format being 

idual con^rpll|jdi j|robe being the 

■pf data, jt^l^lei^f oritvats that is 

, • . H i : ■ J ■ ■ 5 

.'ivadual cbnjtro;jl4d| probe that is 



controlled probe, 
individual control" 



pted coiTtit^n|;nesiw6r|c • traffic data 



periodic^ay retrieyi|ig.;iifro|ri each individual 



id: probe. 



itWork tra[£f|Lc jlaiaf collected by the 



2, The method of 
controlling at lea 
traffic data probe 
traffic data in on^ 
data table formate^) 
selecting 
which includes app3^ 
network traffic da 
network layer info 

' • ■ m' 



;i;aim 1, wheareifi thfe. step of 
^ -.isome of. Ithae 



Jtfsc|ted network 



}tp collect ^ndistc|re network • • ■ 
jof a plui[a3iity|o35 lietwork traffic' 
b:cludes t|i^: stl|p) c|f : 
|^*netwpr)| tjc^aflib Idata table 'format 
^^dation- l^i^ i|f02|natibn over a ' / 
^ 'table fpirniat Ihkti includes onlv 
tion, f\ : 



L 

T , 

r 
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i. 

I 
I- 



p 



networks tirafii^ Ijrobes axe. RM0N2 



fe-: Step of cpnt. 



•J 



ng at least. some 



3, The method of.^ 
wherein --ti 

probes; and 

. \rtierein i 
of the detected ne" 
and* store network* 
network, traffic dall 

. step of: ^ 1 

selectinj^^l network:: traf Sic data table format 
'which includes .dei^,j" count va^-ufes |v^r| a n« 
- ---'^••^■^-^irrcvat ■ th^t IncUude*© absolute . count 

■ V .1 I 



bi-k traffkc|:daiarEl:obes to collect 
f^fefic- dat^ in |n4 l^f a plurality of 
! Stable f oliT^tspf urliher includes the 



traffic data table |^ 
values , 



4. The method , of ^IJaini' 3 , v^dreii 
controlling at' lea^ |isome of ;thje" 



traffic data probei 
_^traffic data in bii< 
data table formats ^ 
selecting 
which includes tea 
network traffic dat 
count mode values • 



5. 



ti|5" step .of 
e<:|ted network 



^to. collect fend|>stoVe network 
y± a. plu^plH^ty^lof |network traffic 

Li-ther irfblUdeis tile step of: ' 
|?^:.necwor^;.ttt*af!?ic ^ata* table format 
ial count^ irvod^vaJiues over a . 
stable fdicwat-^hatl includes all 



The method ofif^^iaim 1, 
. wherein 
BK0N2 probes;- and 



network traffic da-i 
step of; 



e network! dra-^&ib |data probes are* 



wherein.- ^e step, of: cbntf torlxing at least some 



of the detected nel^ork traf flc^: dsgta^ probes to collect 
and store network 



: 1 ' 



ireif f ic datja jin jpnfe |of a plurality, of 
table f prmat^i fju^ther includes the 



n 
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It; 



which incl\3dee del1 



6* The method. of ^ 

. wherein 
RM0N2. data probes; l 



i: 



n i 



selectiri9||bJ' network: qrafjUp ^ata table format 



.^ount vaiciups |?vea^ a .network 



traffic data table^|:brmat t,hd% jincpuS^ absolute - coiint 

*: ■ Hill ■ : - 



3 't 

network; t^rafiii: |aata probes* are. 



wherein .-. tefite step of; cpnttfoiaEng .at least some 
of the detected n^^qrk traf f^i dajlaj i|robes to collect " 
and store network; t^s^ffic daeb iin Ink |of - a plurality of 



network traffic . da<: 
Step of: 

select in 
which includes -te. 
network traffic dall 
count mode values ;i 



^table f qMatd^ffiaither includes the 



» networJc: Grafiip |data table format 

llues over a 



at least some of t^' fdetected i^ef 
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